OWASP LLM01 · The #1 risk in LLM applications

Self-hosted defence
against prompt injection,
built for the enterprise.

A purpose-trained model that validates every LLM input before it reaches your stack. Industry-leading detection accuracy. Zero data leaves your infrastructure.

0.991 AUC · 4 benchmarks 1.24% false positives 5–10 ms CPU inference EU-based
The threat surface

LLMs follow instructions.
That is exactly the risk.

Large language models do not separate instructions from data — by design, any untrusted text reaching the model can become a command. Static rules and keyword filters cannot close this gap; new vectors are catalogued weekly.

RISK · 01

Prompt injection attacks

Malicious instructions hidden in user inputs, retrieved documents, or emails that hijack model behaviour, override system prompts, and exfiltrate sensitive data.

RISK · 02

Jailbreaks & policy bypass

Adversarial prompts crafted to bypass content policies, extract system instructions, or force agents to execute actions outside their intended scope.

RISK · 03

Confidential data leakage

Crafted inputs that extract PII, trade secrets, or internal system context from your enterprise AI — triggering compliance violations and potential breaches.

RISK · 04

No deterministic fix

Filters and allow-lists cannot enumerate a growing attack surface. The only defensible answer is a model trained on the full corpus of known injection patterns.

The platform

A screening layer between
untrusted input and your model.

Bastion is a self-hosted prompt-injection scanner that validates every input before it reaches your LLM, agent, or tool-calling workflow.

STEP 01

Deploy inside your environment

Pull the model artefact, run it on CPU or GPU within your own infrastructure. No outbound calls, no telemetry, fully air-gappable.

STEP 02

Screen every input inline

Route untrusted text — user messages, emails, documents, web content, RAG context — through Bastion before it enters your model. Typically 5–10 ms per check.

STEP 03

Ship with a defensible posture

Your team has a benchmarked, audit-ready answer for security review, procurement, and regulators: a documented, measurable control on LLM01.

# Host Bastion as a microservice within your environment
import json, urllib.request

req = urllib.request.Request(
    "https://bastion.internal/protect",
    data=json.dumps({"prompt": user_input}).encode(),
    headers={"Content-Type": "application/json"},
    method="POST"
)

with urllib.request.urlopen(req) as resp:
    if json.loads(resp.read())["risk"] >= 0.5:
        raise ValueError("Prompt blocked")
# Embed the SDK directly in your application
from bastion_prompt_protection import Guard

guard = Guard()
result = guard.protect(user_input)

if result.is_attack:
    raise ValueError("Prompt blocked")
# Run inference directly with the ONNX model weights
import json
import numpy as np
import onnxruntime
from tokenizers import Tokenizer

MODEL_DIR = "binary-bastion-prompt-protection-deberta-v3-xsmall-v1"

session = onnxruntime.InferenceSession(f"{MODEL_DIR}/onnx/model_quantized.onnx")
tokenizer = Tokenizer.from_file(f"{MODEL_DIR}/tokenizer.json")
temperature = json.loads(open(f"{MODEL_DIR}/temperature.json").read())["temperature"]

enc = tokenizer.encode("Ignore previous instructions")
logits = session.run(None, {
    "input_ids": np.array([enc.ids], dtype=np.int64),
    "attention_mask": np.array([enc.attention_mask], dtype=np.int64),
})[0][0] / temperature
shifted = logits - logits.max()
risk = float(np.exp(shifted)[1] / np.exp(shifted).sum())
 
 
See the detected prompt injections

The threat dashboard

Optional companion software - the Bastion Lens dashboard to review and reason about the threats blocked or missed.

Benchmarks · public & reproducible

The numbers stand on their own.

Three things decide whether a detector belongs in production: it has to catch attacks, stay out of the way of real users, and see the injections hidden inside data. Bastion leads on all three — every result below is public and reproducible on HuggingFace.

Catches attacks

ROC-AUC · higher is better
Detector Average xTRam1 S-Labs JBB rogue
bastion-prompt-protection 0.991 0.998 0.996 0.986 0.986
sentinel 0.959 0.991 0.955 0.894 0.997
wolf-defender 0.954 0.996 0.986 0.847 0.988
hlyn judge 0.950 0.995 0.891 0.934 0.980
protectai v2 0.850 0.992 0.978 0.600 0.830
deepset injection 0.766 0.666 0.961 0.649 0.787

Stays out of the way

false-positive rate · lower is better

The failure that quietly kills a detector in production isn't a missed attack — it's blocking the real users it sits in front of. Measured on genuine first messages from WildChat and LMSYS.

1.24% of real users wrongly blocked — the lowest of any detector measured.

Sees the hidden kind

indirect injection · AUC, higher is better

Attacks increasingly hide inside the data an app trusts — documents, JSON fields, tool output. Averaged across six agent and document benchmarks (Z-Edgar, BIPIA, InjecAgent, AgentDojo, HackAPrompt, TensorTrust). Scale starts at 0.5 — the score of a coin flip.

Architecture · security by deployment

Built to run inside your stack,
not alongside it.

No tokens. No transactions. No outbound connections. A model artefact you own, deploy, and control end-to-end.

01 · DEPLOYMENT

Runs entirely inside your environment

Deploy as a model artefact and run air-gapped on your own infrastructure. Bastion never calls out, never sees your prompts, never depends on a remote service.

air-gap on-prem vpc
02 · PERFORMANCE

Fast CPU inference, inline-ready

5–10 ms per prompt on standard server CPUs. Sits inline in any production workflow — chat, agents, RAG pipelines, document ingestion — without adding user-visible latency.

onnx int8 cpu-native
03 · INTEGRATION

Multiple integration surfaces

Raw model weights, a 10-line Python script, the open-source SDK, or the full private microservice. Choose the integration that fits your stack and review process.

python-sdk docker rest-api onnx-runtime
04 · GOVERNANCE

Calibrated probabilities, configurable policy

Every classification returns a calibrated probability score, not a binary flag. Tune thresholds per use case. Supports EU AI Act human-oversight and logging requirements out of the box.

eu-ai-act gdpr nist-ai-rmf
Why Bastion

A purpose-built control,
not a general-purpose filter.

Five reasons enterprise teams choose Bastion over generic content moderation or in-house heuristics.

01

Trained on hundreds of thousands of real injection variants.

Not a ruleset. Not a generic safety classifier. A model that has seen the full prompt-injection attack surface and leads every public benchmark it is measured against.

02

Publicly benchmarked, independently reproducible.

Top-ranked across publicly accessible detectors on HuggingFace. Any engineer can re-run the benchmarks against their own data. No marketing claims behind closed doors.

03

Self-hosted — your data never leaves your infrastructure.

Deployed as a model artefact inside your environment. No per-request fees. No prompts shared with any third party. No outbound network dependency.

04

5–10 ms CPU inference, production-ready.

Optimised for standard server CPUs. Runs inline in your pipeline without adding user-visible latency or requiring dedicated GPU capacity.

05

EU company, EU jurisdiction — built for regulated industries.

Governed under EU law. Directly applicable for GDPR, EU AI Act, and high-stakes deployments in finance, healthcare, and public sector.

* BENCHMARKED JUNE 2026

Licensing

Predictable transparent licensing.

No per-request fees. No metered token costs. Volume and group-wide pricing on request.

Community
Open
Evaluation, research, and non-commercial use.
€0
free, forever
  • x-small model
  • English language
  • AGPL-3.0 licence
  • Community support
View on GitHub
Single product
Product
One commercial product, one tenant boundary.
333
per month, billed annually
  • Multi-lingual model
  • Up to 5 dev environments
  • Commercial licence
  • Email support, 2 business days
Request quote
Group-wide
Enterprise
Multi-entity groups, regulated industries, audit-grade.
Custom
tailored to your estate
  • Everything in Company
  • Group-wide licence
  • Named security engineer
  • Custom MSA, DPA, NDA
  • Procurement & audit support
Request quote
14-day money-back guarantee — no questions asked  See policy Secure checkout via Stripe Instant licence delivery

Need an offline evaluation, a security questionnaire, or a Soft-letter for procurement?  Get in touch.

Procurement & security

Questions enterprise
buyers ask first.

If your security or procurement team needs documentation we don't list here, just ask — we'll send a complete pack.

You receive the model artefact (ONNX, quantised) and your choice of integration — raw weights, Python SDK, Docker image with a REST API, or the full microservice helm chart. Everything runs inside your VPC or on-prem. No outbound network calls, no telemetry.
NOTE: you either pre-download the model weight file yourself, or *request* SDK to download and cache it (once) from our online storage.
None. Bastion makes zero outbound network calls in production deployment. Your prompts, your users' data, your detection results — all stay inside your environment.
Commercial licences are per-product or group-wide, with a signed MSA and DPA. No per-request, per-token, or usage-based fees — so there is nothing to meter, nothing to leak, and nothing for procurement to model against unpredictable AI traffic.
Yes. Product and Company licences purchased through self-serve checkout come with a 14-day money-back guarantee — no questions asked. Email info@bastionsoft.com within 14 calendar days of your purchase with your order number and we will process a full refund within 5 business days. Full refund policy →
Bastion Soft is incorporated in Lithuania (EU). Default contracts are governed by Lithuanian law with EU jurisdiction. We offer customer-jurisdiction MSAs on Enterprise plans where required by procurement.
Bastion is model-agnostic. It validates inputs before they reach any LLM — OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Google Vertex, Mistral, self-hosted Llama, or any custom model. Works with LangChain, LlamaIndex, Semantic Kernel, and direct API integrations.
Bastion licence is procurement-friendly. You can find the standard EULA here.
Drop a message at info@bastionsoft.com if you have procurement-related questions.
Here's the full technical disclosure (with a test harness you can re-run independently).
Talk to sales

Your AI is live.
Make it defensible.

Tell us about your stack and your security posture. We'll come back within one business day with a tailored deployment plan, the documents your procurement team needs, and a path to a proof-of-value in your environment.

Response within one business day.
No commitment required.
EU-based team · EU jurisdiction.

By submitting, you agree to be contacted about Bastion. We don't share your data. See our Privacy Policy.